Académique Documents
Professionnel Documents
Culture Documents
INSTITUTION:
DATE:
1.1 The board of directors are actively involved in the oversight of the operational risk management framework. 1.2 The Board has approved a firm-wide framework to manage operational risk as a distinct risk to the bank's safety and soundness.
1.3 The Board has provided senior management None with clear guidance and direction regarding the principles underlying the framework. 1.4 The Board has reviewed policies developed (a) List operational risk policies developed by by senior management. senior management and provide approval/review status of each. 2. Regular review of framework by Board of Directors SP (15) 2.1 The Board has reviewed framework regularly (a) Identify how the bank assesses external to ensure that the bank is managing the operational risk factors and operational risks operational risks arising from external market associated with new products. changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. 2.2 The Board has assessed industry best practices in operational risk management, appropriate of the bank's activities, systems and processes. 3. Operational risk strategy CAR Ch 6 (660) & Ch 7 (664) SP (13) 3.1 The bank has an operational risk management system that is conceptually sound and is implemented with integrity. (a) Identify how the Board is educated and kept up to date on Basel II operational risk, including industry best practices in operational risk management and industry issues. None
3.1 The bank's operational risk framework (a) Provide the enterprise wide definition of should be based on an appropriate definition operational risk. of operational risk that clearly articulates what constitutes operational risk in that bank. 3.2 The bank has established its appetite and tolerance for operational risk, specified through policies for managing this risk and the bank's prioritization of operational risk management activities, including operational risk transferred outside the bank. (a) Provide details on the bank's risk appetite and operational risk tolerance. (b) Identify how the bank's appetite and tolerance for operational risk is communicated throughout the bank. (c) Describe the bank's management of operational risks transferred outside the bank.
3.3 The bank has established policies outlining (a) List all operational risk policies. its approach to identifying, assessing, monitoring and controlling/mitigating the risk.
Page 3 of 34
3.4 The bank has ensured that the level of None formality and sophistication of its operational risk management framework is commensurate with its risk profile. 4. Board of Director's SP (14) establishment of a management structure 4.1 The Board has established a management (a) Provide the bank's organization chart that structure capable of implementing the firm's describes the lines of management operational risk management framework. responsibility, accountability and reporting for operational risk. 4.2 The bank has established separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions. 4.3 The bank has articulated key processes necessary to have in place to manage operational risk. Senior Management 5. Role of senior management CAR Ch 6 (660) & Ch 7 (664) SP (18) 5.1 Senior management is actively involved in the oversight of the operational risk management framework. None
None
None
5.2 Senior management has translated the None operational risk management framework into specific policies, processes and D64procedures. 5.3 Senior management has implemented the operational risk management framework consistently across the whole bank. None
5.4 Senior management has assigned authority, None responsibility and reporting relationships to encourage and maintain accountability. 5.5. The bank has ensured the availability of None necessary resources to manage operational risk effectively. 5.6 The bank has assessed the appropriateness None of management oversight process in light of risks inherent in a business unit's policy. 6. Effective communication of risk SP (20) management 6.1 Senior management has ensured that staff None responsible for managing operational risk communicate effectively with staff responsible for managing credit, market and other risks, as well as those in the firm responsible for the procurement of external services such as insurance purchasing and outsourcing agreements.
Page 4 of 34
Operational Risk Management Function 7. Operational risk management CAR function Ch 6 (663a)
7.1 The bank has an operational risk management system with clear responsibilities assigned to an operational risk management function.
7.2 The operational risk management function None develops strategies to identify, assess, monitor and control/mitigate operational risk. 7.3 The operational risk management function None codifies firm-level policies and procedures concerning operational risk management and controls. 7.4 The operational risk management function designs and implements the firm's operational risk assessment methodology. 7.5 The operational risk management function designs and implements the risk-reporting system for operational risk. CAR Ch 7 (666a) None
None
7.6 AMA banks only: The operational risk (a) Explain how the operational risk management function is independent and management function is independent and responsible for the design and identify its key responsibilities. implementation of the bank's operational risk management framework. 8.1 The bank has an operational risk management system that is well documented. 8.2 None
Risk Management - Operational Risk 8. Operational Risk control and CAR mitigation Ch 6 (663d) & Ch 7 (666d)
CAR 7 (666d)
SP (31)
(a) Describe how the bank ensures compliance with its internal policies, controls The bank has a routine in place for ensuring and procedures for operational risk. compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which includes policies for the treatment of non-compliance issues. 8.3 Ch (a) Identify how and where the operational AMA Banks only: The internal operational risk measurement system is integrated into risk measurement system is closely the bank's risk management processes. integrated into the day-to-day risk management processes of the bank. Its output is an integral part of the process of monitoring and controlling the bank's operational risk profile. 8.4 The bank has decided between using (a) Identify how the bank decides on its risk appropriate procedures to control/mitigate appetite and tolerance. identified operational risks, or bear the risks.
Page 5 of 34
SP (31) A. OPERATIONAL RISK GOVERNANCE Area of Assessment Reference # Criteria Information Request Assessment Rating
8.5 For risks that cannot be controlled, the bank (a) Describe how the bank manages has decided how it will approach the operational risks that cannot be controlled. operational risks (e.g., accept the risk, reduce the level of business activity or withdraw from the activity completely). 8.6 The bank has a routine for ensuring compliance with documented internal policies concerning operational risk management systems, including verifying compliance with management controls. 9. Strong internal control culture SP (32) 9.1 Board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank. (a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.
None
10. Staffing
10.1 The bank has sufficient resources in the CAR Ch 6 (660) & major business lines to implement the Ch 7 (664) adopted approach to operational risk, including control and audit areas. SP (19)
None
10.2 Bank activities are conducted by staff that is (a) Provide a description of current resources qualified with the necessary experience and in both internal audit and risk management technical capabilities. functions. 10.3 Staff responsible for monitoring and enforcing compliance have authority independent from the units they oversee. 10.4 Clear communication of operational risk management policy to staff at all unit levels incurring material operational risks. (a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence. (a) Identify how the Bank's operational risk management policy is communicated throughout the bank.
SP (33)
11.1 Effective internal control system requires that None there be appropriate segregation of duties and that personnel are not assigned responsibilities that may create a conflict of interest. 11.2 Areas of conflicts of interest are identified and minimized, and are subject to careful independent monitoring and review. None
SP (34)
12.1 In addition to segregation of duties, the bank (a) Identify other internal practices in place to has ensured that other internal practices are control operational risk. in place as appropriate to control operational risk. 13.1 The bank has paid special attention to (a) Identify the bank's operational risk internal control activities where it engages in assessment process for new business. new activities, develops new products, enters unfamiliar markets, and/or engages in unfamiliar geographic regions.
Page 6 of 34
14.1 Operational risk mitigation tools or (a) Identify any risk mitigation tools or programmes are used to reduce the programmes used to reduce exposure to exposure to, or frequency and/or severity of, high frequency/low severity events. such events that cannot be controlled. 14.2 Operational risk mitigation tools are complementary to thorough internal operational risk control. 15.1 Investments in appropriate processing technology and information technology security have been utilized. 16.1 The bank has well documented policies, processes and procedures related to advanced technologies supporting high transactions volumes. 17.1 Remuneration policies are consistent with the bank's operational risk appetite. None
SP (37)
15. Information technology as operational risk mitigation tools 16. Documentation controls and transaction-handling practices
SP (38)
None
SP (22)
(a) List documented policies, processes and procedures related to advanced technologies supporting high transaction volumes. (a) Identify any remuneration policies.
17. Remuneration policies Internal Audit Function 18. Internal audit coverage
SP (21)
CAR Ch 6 (663e)
18.1 The bank's operational risk management (a) Describe the responsibilities of the audit processes and assessment system are function with respect to operational risk. subject to validation and regular independent review (these reviews include the activities of both the business units and of the operational risk management function). 18.2 There has been adequate internal audit coverage to verify effective implementation of policies and procedures (including activities of business units and operational risk management function). (a) Describe the audit plan, scope and work completed with respect to operational risk management.
SP (16)
18.3 There is Board assurance that the scope and None frequency of audit programme is appropriate to the risk exposures. 18.4 Audit has performed a periodic validation that the firm's operational risk management framework is being implemented effectively across the firm. 19. Independence of Internal Audit SP (17) None
19.1 The internal audit function does not have (a) Describe how the internal audit function direct operational risk management maintains its independence from operational responsibilities. [Note: The internal audit risk management. function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.
Page 7 of 34
20.1 The bank has regular reporting of (a) Identify operational risk reporting operational risk exposures, including material activities directed at senior management and operational losses, to business unit the board of directors and indicate the management, senior management, and to frequency. the board of directors. 20.2 The bank has procedures for taking (a) Describe how the bank uses the appropriate action according to the information within operational risk information within the management reports. management reports.
SP (26)
20.3 There are practices in place for prompt (a) Describe monitoring process of policies, detection and management of deficiencies in processes and procedures. policies, processes and procedures for managing operational risk. 20.4 The bank has established policies for (a) Identify early warning indicators used for identification of appropriate indicators that operational risk in reporting activities. provide early warning of an increased risk of future losses. 21.1 Frequency of monitoring reflects operational None risks involved and frequency and nature of changes in the operating environment. 21.2 Reports are included in regular management and Board reports. 22.1 Senior management has received regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit. None (a) Provide a list of regular reports from business units, group functions, operational risk management office and internal audit reviewed by senior management and indicate the reporting frequency.
SP (27)
SP (28)
SP (29)
22.2 Operational risk reports contain internal None financial, operational, and compliance data, and other information relevant to decision making. 22.3 Reports reflect identified problem areas and (a) Describe how reports are used to ensure motivate timely corrective action on that problem areas receive appropriate outstanding issues. corrective action.
Page 8 of 34
Rating Rationale
Page 9 of 34
Rating Rationale
Page 10 of 34
Rating Rationale
Page 11 of 34
Rating Rationale
Page 12 of 34
Rating Rationale
Page 13 of 34
Rating Rationale
Page 14 of 34
Specific policies and documentation of (a) Provide all policies and documentation of criteria have been developed for mapping criteria developed for mapping gross income. gross income for current business lines and activities into the standardised framework. Criteria must be reviewed and adjusted for new or changing business activities as appropriate. None
1.2
CAR
2.1
All activities are mapped into the eight level 1 (a) Identify if all activities have been mapped business lines in a mutually exclusive and into the eight level 1 business lines in a jointly exhaustive manner. mutually exclusive and jointly exhaustive manner. (b) Identify any existing gaps and the action plans to close them. Any banking/non-banking activity that cannot None be readily mapped into the business line framework, but which represents an ancillary function to an activity included in the framework, are allocated to the business line it supports. If more than one business line is supported through the ancillary activity, an objective mapping criteria is used. (a) If appropriate, describe the objective mapping criteria being used.
CAR
2.2
2.3
CAR
2.4
If an activity cannot be mapped into a (a) Identify any activities that could not be particular business line then the business mapped into a particular business line and line yielding the highest charge is used. The provide the charge used. same business line equally applies to any associated ancillary activity. Internal pricing methods are used to allocate (a) Discuss the pricing methods used to gross income between business lines allocate gross income. provided that total gross income for the bank still equals the sum of gross income for the eight business lines. Mapping activities into business lines for operational risk capital purposes are consistent with the definitions of business lines used for regulatory capital calculations in other risk categories. Any deviations must be clearly motivated and documented. (a) Identify any activities that are inconsistent with Basel business line definitions. (b) Identify motivations for any existing deviations.
CAR
2.5
CAR
2.6
CAR
2.7
The mapping process is clearly documented. (a) Identify documentation for mapping More specifically, business line definitions process and assess its allowance for are sufficiently documented to allow for business line mapping replication. business line mapping replication. Documentation clearly motivate any exceptions or overrides and be kept on record. (a) Identify how documentation addresses exceptions and overrides. Page 15 of 34
2.8
# 2.9
Criteria Processes are in place to define the mapping of any new activities or products.
Information Request (a) Identify processes in place to define the mapping of any new activities or products. (a) Identify who is responsible for the mapping policy. (b) Identify the format in which the mapping policy has been presented and approved by the Board (a) Identify if the mapping process has been subject to independent review (and by whom). If independent review has not taken place, identify future plans to do so.
Assessment Rating
Rating Rationale
CAR
Ch 6 Annex 6(h) Ch 7 Annex 6(h)
CAR
Ch 6 Annex 6(i) Ch 7 Annex 6(i)
Page 16 of 34
1. Bank's internal operational risk CAR assessment system using 6 (663b) operational loss data
Ch 1.1 The bank has a systematic tracking of relevant operational risk data including material losses by business line.
1.2 There is close integration of the operational risk assessment system into the risk management process of the bank.
1.3 Output is an integral part of the process of (a) Describe how the bank uses operational monitoring controlling the banks operational risk data (including loss data) to monitor the risk profile. banks operational risk profile. 1.4 Operational risk data (including loss data) has a role in risk reporting, management reporting, and risk analysis. (a) List all reports using operational risk data (including loss data), identifying how the reports are distributed.
1.5 There are techniques for creating incentives (a) Identify any techniques the bank uses for to improve the management of operational creating incentives to improve the risk throughout the firm. management of operational risk throughout the firm.
Page 17 of 34
2.1 There is regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors.
2.2 There are procedures for taking appropriate (a) Describe how the operational risk action according to the information within the exposure reports are used to respond to management reports. operational risk and the management of the risk.
Page 18 of 34
Rating Rationale
Page 19 of 34
Rating Rationale
Page 20 of 34
1.1 The bank has an effective risk identification (a) Describe the bank's processes for process of both internal and external factors identification of both internal and external that could adversely affect the achievement risk factors. of the bank's objectives. 2.1 The bank assesses the vulnerability of None potentially adverse risks to better understand risk profile and target risk management resources. 3.1 Self- or risk assessment - The bank completes an internal assessment of its operations and activities against a menu of potential operational risk vulnerabilities. (a) Identify if the bank is using a Risk Control Self-Assessment process. (b) Describe the process and state if it is an enterprise wide process. (c) Describe how RCSA results are used in risk identification as well as mitigation. (d) Describe the effectiveness of the risk control self-assessment process. (a) Describe how the process identifies the strengths and weaknesses of the operational risk environment.
SP (25)
3.2 Self- or risk assessment - This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. 3.3 Risk mapping - The bank has mapped various business units, organizational functions or process flows by risk types.
(a) Identify if the bank is risk mapping business units, organizational functions or process flow by risk types. (b) Describe this risk mapping process. (c) Describe how risk mapping is used for risk identification and mitigation. (a) Identify if the bank is using key risk indicators to assess operational risk. (b) Provide list of key risk indicators used by the bank. (c) Describe how the key risk indicators were developed. (d) Identify how key risk indicators are used. (e) Describe how key risk indicators reported to senior management and the board are used.
3.4 Risk indicators - The bank uses statistics and/or metrics to provide a bank's risk position.
3.4 Measurement - The bank has established practises for quantification of exposure to operational risk using a variety of approaches. 4. Reporting n/a
(a) Identify if the bank has established practices for quantification of operational risk exposure.
(b) Describe the quantification approaches used. 4.1 Operational risk results from risk assessment (a) List all reports of risk assessment tools tools are reported and used in the and indicate how they are used. management of operational risk.
Page 21 of 34
4.2 There is appropriate reporting of results from None risk assessments tools to the Board, senior management and business units.
Page 22 of 34
Rating Rationale
Page 23 of 34
Rating Rationale
Page 24 of 34
1.1 The bank has established policies for managing the risks associated with outsourcing activities. 1.2 The board of directors and senior management have ensured that third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.
(a) Describe the Board and senior management oversight of third-party activity.
1.3 Outsourcing arrangements have been based None on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing banks. 1.4 The bank is managing residual risks associated with outsourcing arrangements, including disruption of services. SP (40) (a) Describe the bank's process for determining the materiality of outsourcing arrangements.
1.5 The Board and management have ensured None that the expectations and obligations of each party are clearly defined, understood and enforceable. 1.6 The bank carries out initial due diligence test (a) Describe the initial due diligence test and and monitor third-party activities on a regular indicate how third-party activities are basis. regularly monitored. (b) Describe the bank's program for managing and monitoring risks of the outsourcing arrangements. 1.7 For critical activities, the bank has None considered contingency plans, including availability of alternative external parties and costs and resources required to switch external parties. 2.1 The bank's decision to retain or self-insure None the risk is transparent within the organization and consistent with the bank's overall business strategy and risk appetite.
SP (41)
3.1 The bank is required to establish disaster None recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.
Page 25 of 34
3.2 The bank has identified critical business processes, including dependence on external vendors or third parties, for which rapid resumption of service would be most essential. 3.3 The bank has identified alternative mechanisms for resuming service in the event of an outage.
SP (43)
None
3.4 The off-site facilities where back-ups of (a) Identify the location of off-site facilities. records are stored are an adequate distance away from the impacted operations. 3.5 There is a periodic review of DRP/BCP to ensure consistency with the bank's current operations and business strategies. SP (44) (a) Describe the bank's process for reviewing DRP/BCP.
3.6 Plans are tested periodically to ensure that (a) Identify the frequency for testing plans. the bank would be able to execute the plans in the unlikely event of a severe business disruption.
Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"
Page 26 of 34
Rating Rationale
Page 27 of 34
Rating Rationale
Page 28 of 34
Ch 1.1 The bank's AMA model captures potentially severe tail loss estimates. 1.2 The bank's AMA model is comparable to a one year holding period and a 99.9 percentile confidence interval.
CAR 7 (669b)
Ch 1.3 The bank is calculating the operational risk None regulatory capital requirement as the sum of expected loss and unexpected loss. 1.4 The bank is adequately capturing EL in its internal business practices. (a) Provide the bank's documentation on how operational risk EL is measured and accounted for. None
1.5 The bank's AMA model captures the major drivers of the operational risk affecting the shape of the tail loss estimates. Ch 2.1 Internally determined correlations are used in operational risk modelling. The bank can demonstrate that its systems for determining correlations are sound and implemented with integrity and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress). 2.2 The bank validates its correlation assumptions using appropriate quantitative and qualitative techniques.
(a) Provide details on how correlation is integrated into the model and the rationale for its use in calculating the capital requirement. (b) For internally determined correlations, identify the assumptions used and discuss the methods used for estimating correlation. (a) Identify how the bank is validating its correlation assumptions. (a) Provide a brief summary of how these 4 elements are used in the operational risk measurement system.
3. Four fundamental elements: CAR - Internal data Ch 7 (669e) - External data - Scenario analysis - Business environment and internal controls CAR Ch 7 (669f)
3.1 Key elements of the bank's operational risk measurement system include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control system. 3.2 Weighting of the 4 fundamental elements is credible, transparent, well-documented and verifiable approach. 3.3 The approach for weighting the 4 fundamental elements is internally consistent.
(a) Provide documentation and rationale for the approach taken in weighting of each fundamental element. None
3.4 Double counting of qualitative assessments None or risk mitigants already recognised in other elements of the framework is avoided in the approach for weighting the 4 fundamental elements.
Page 29 of 34
(a) Provide the documented procedures. Ch 4.1 The bank has documented procedures for assessing the historical internal loss data for its relevance and use in the operational risk measurement system. 4.2 The bank is using at least 3 years of None historical internal loss data if internal loss data is being used to either build or validate the operational risk measurement system. 4.3 The bank has documented its criteria for (a) Provide the documented criteria. mapping historical internal loss data to Basel business lines and event types. 4.4 The internal loss data is comprehensive and (a) Provide rationale for excluding loss captures appropriate sub-systems and activities and exposures, if any, from the loss geographic locations. collection process. 4.5 The bank has an appropriate gross loss None threshold for internal loss data collection. 4.6 The bank has specific criteria for allocating (a) Provide the specific criteria. operational losses that span across business lines or occur in a centralized function. 4.7 All material operational losses related to the (a) Identify the bank's approach to collecting definition of operational risk are identified in operational losses related to credit and the loss data collection. market risk.
CAR Ch 7 (672)
CAR Ch 7 (673)
5. External Data
CAR Ch 7 (674)
5.1 The bank's system uses relevant external (a) Identify the sources of external loss data loss data in its operational risk measurement used in the bank's operational risk system. measurement system. 5.2 The bank has a systematic process for determining how and when external loss data is used in its operational risk measurement system. 5.3 The conditions and practices for using external loss data are regularly reviewed, documented and subject to periodic independent review. None
(a) Provide the documentation discussing the conditions and practices for using external loss data.
6. Scenario Analysis
CAR Ch 7 (675)
6.1 The bank uses scenario analysis of expert (a) Describe how scenario analysis is used in opinion in conjunction with external data to the operational risk measurement system. evaluate its exposure to high-severity events. 7.1 Factors used in the operational risk measurement system are meaningful risk drivers and were chosen based on experience and expert judgement. (a) Identify the rationale used for choosing business environment and internal control factors and provide a brief description of how they are used. (b) Indicate if factors are translatable into quantitative measures. None
CAR Ch 7 (676)
7.2 The framework and each instance of its application must be documented and subject to independent review. Advanced Measurement Approach Methodology
Page 30 of 34
8.1 The recognition of insurance mitigation is less than 20% of the total operational risk regulatory capital charge. 8.2 The insurance provider has a minimum claims paying ability rating of A. 8.3 The insurance policy has an initial term of no less than one year. 8.4 The insurance policy has a minimum notice period for cancellation of 90 days. 8.5 The insurance policy has no exclusions or limitations triggered by supervisory actions. 8.6 The risk mitigation calculations reflect the insurance coverage. 8.7 The insurance is provided by a third-party entity. 8.8 The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.
9. Allocation Methodology
CAR Ch 7 (656)
9.1 The bank intends, with supervisory approval, to use an allocation mechanism for the purpose of determining the operational risk capital requirement for its subsidiaries.
Page 31 of 34
Rating Rationale
Page 32 of 34
Rating Rationale
Page 33 of 34
Rating Rationale
Page 34 of 34